I am working on a series of posts related to the Center for Internet Security (CIS) Critical Security Controls (CSCs). See the full listing here.

Establish, implement, and actively manage (track, report on, correct) the security configuration of network infrastructure devices using a rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings.

This control includes seven (7) sub controls. For those of you reviewing the CIS Controls with the Implementation Groups in mind, there is one (1) IG1 control and seven (7) IG2 controls. This means that, at a minimum, we want to:

Install the latest stable version of any security-related updates on all network devices.

By this point in your CIS CSC journey, this control should feel like a layup. The identification, testing, and deployment of secure configurations and patches for servers, workstations, and mobile devices was handled way back in CIS CSC #2 & CIS CSC #3. Network devices are (usually) not making the headlines as targets of attack, but when they are the impact is massive. This was evicted most recently by the pulse VPN attacks. Many of these devices are not exposed to the public internet, so the attack surface for these devices is much smaller. The exception to that rule being your perimeter firewalls.

Standardization will be your friend here. Having standard builds for each device type will be easier to manage if the number of device types is kept small. Many of the device manufacturers will have their own utility for managing the devices, which can make configuration management easier. The tools listed below are more useful in performing the initial scans to build the security baseline, then perform periodic tests to identify and correct any configuration drift.

I am a big fan of Nipper for performing the device configuration reviews. The video below demonstrates the paid version, which is very reasonably priced. The configuration review will identify software vulnerabilities, as well as configuration weaknesses (such as the CIS Benchmarks).